Ransomware as a business model

Legal aspects of ransom payment

Yan Borboën
Partner, Digital Assurance & Cybersecurity and Privacy, PwC Switzerland

Ransomware attacks and extortion are the biggest threats to corporate cybersecurity across all regions and industries, and they have become a lucrative business for cybercriminals. In our blog series “Ransomware as a business model”, we explain the different phases (preparation, attack, spread, and infection) of ransomware attacks, how they work, and how to react. In today’s blog, we shed the spotlight on legal aspects of ransom payment.

Ransomware attacks continued to be the biggest threat to corporate cybersecurity in 2021 – across all regions and industries. The number of reported ransomware attacks, in which criminals attempt to extort companies, increased from 1,300 in 2020 to 2,435 in 2021.

Source: PwC, 2022, Cyber Threats 2021: A Year in Retrospect
The New Equation

Cybersecurity and Privacy

At PwC, we help clients evaluate their ability to deal with the main cyber risks and threats of the digital world in an easy and understandable way.

Learn more


Ransom payment decision factors

Following an attack, a company must evaluate whether it wants to pay the ransom or try to restore the systems itself, and it must weigh the risks of such a decision. Four factors are decisive in this decision-making process:

  • Feasibility: Is it possible for the company to recover its systems and information in a timely manner from its backups?
  • Effort: How much work is required to recover the company’s systems and information? Does the company have the people and the tools for it? How much would it costs?
  • Impact: What would be the impact of delays due to the recovery process to the company’s business, customers, and employees?
  • Legality: Can the company pay the ransom without legal infringements? What legal risks is the company exposed to?

These factors must be part of a pragmatic risk analysis. PwC does not recommend paying a ransom demand, since there is no guarantee that data will be recovered, or that exfiltrated data will not be passed on or sold to third parties. Ransom payments also fund the continued activity of cyber criminals.

However, if the company believes that it is unable to restore its systems, or that it could only do so with great effort and at a financial cost that far exceeds the amount of the ransom, management must deal with the question of the ransom payment’s legality.

Cyber incident response and recovery

We have a broad range of flexible solutions, including entire packages, to help you plan and prepare for cybersecurity incidents.

Find out more

Further risks in case of ransom payment and data loss

First and foremost, there is a risk that despite paying the ransom, the company will not receive the key to decrypt the data and/or that the stolen data is nonetheless published. It also highlights to the attackers and to attacker groups (as word travels quickly amongst them) that the company is willing to pay a ransom, which might open it up to renewed attacks.

The company could also deal with reputational, operational, criminal, and – for supervised entities such as banks and insurance companies – regulatory risks.

Another aspect to consider is the logistics of paying a ransom. Most companies do not have cryptocurrency wallets and do not keep funds in a cryptocurrency. Furthermore, the company’s bank might not execute the payment, due to compliance mechanisms in place related to anti-money laundering, terrorist financing, and sanctions.

If a company’s data has not only been encrypted, but also acessed or even stolen, the GDPR and the revised Swiss Federal Act on Data Protection, which will enter into force on 1 September 2023, both contain a reporting obligation to data protection authorities and data subjects. Companies which are supervised by the Swiss Financial Market Supervisory Authority (FINMA) must additionally report such incidents to the FINMA. This can lead to a logistical effort, which mustn't be underestimated.

Formal decision-making process

The above points should be translated by the company into a formal decision-making process. The steps need to be defined and approved in advance by the company’s leadership and must include the validation by the legal department. The decision-making process can be part of a broader corporate policy on responding to ransomware attacks. The legal and compliance functions should:

  • be included in the preparation efforts concerning incident response,
  • provide the company’s legal and compliance stance on ransom payment and pre-analyse the legal risks, including risks associated with payments to threat actors with connections to nation states, as well as potential extraterritorial application of laws concerning ransom payment,
  • monitor regulatory changes in jurisdiction in which the company operates, and
  • be trained and prepared, as in case of an attack there is usually no time for deeper legal research.

How can PwC support you to be more secure and prepared for a ransomware attack?

Ideally, you are prepared and able to defend your company against a ransomware attack – which also includes the preparation of the legal and compliance functions of the company.

Our experts support you with their in-depth knowledge with the following services:

  • Ransomware readiness assessment
  • Development of ransomware policies, procedures, and playbooks
  • Preparedness test of the leadership team in making key decisions on time through crisis management exercises tailored for ransomware attacks
  • Advice on compliance with money laundering and terrorist financing regulations, sanctions, or other laws
  • Risk management / corporate governance consulting
  • Any further support of the legal and compliance functions

Should you nonetheless be the victim of a cyber-attack, we support you with our extensive knowledge of quickly responding to cyber-incidents, we navigate you through the storm and help you to respond and recover from a disrupting event with the following services:

#social#

Building trust to succeed

At PwC, we are a community of solvers – powered by technology – committed to helping you protect everyone, and everything, you care about.

Explore our offering

Contact us

Yan Borboën

Yan Borboën

Partner, Leader Digital Assurance and Cybersecurity & Privacy, PwC Switzerland

Tel: +41 58 792 84 59

Xavier Bédat

Xavier Bédat

Cybersecurity and Privacy, PwC Switzerland

Tel: +41 58 792 14 84